2
1
As I currently understand, there exist two methods for extending keys in a hierarchical deterministic wallet: regular derivation, and hardened derivation. Hardened derivation essentially “breaks the chain,” adding security because through normal derivation, a leaked child private key, along with the chain code, could be used to derive any parent private keys through subtraction.
Normal child private key derivation would happen like this: Take the HMAC-SHA512 hash of the parent public key, parent chain code, and index number. The first 256 bits are added to the parent private key to derive the child private key, and the other 256 bits are the child chain code. Using this, an adversary who possesses a child private key and the chain code could use subtraction to find the parent private key. And hardened derivation is similar, but the parent private key is used as input to the hashing function so it can’t be reversed, even if the chain code is known. The disadvantage is that a parent private key is required to generate child public keys, eliminating the possibility of a “receive only” machine having access to public keys only.
My question is, why is reversible arithmetic (addition of the parent private key and output from the hashing function) used instead of a “one way” function such as elliptic curve addition or others?
We have equations like this, where
hashis the first half of the HMAC-SHA512 hash,K,kare parent keys andK1,k1are children.K+hash = K1,k+hash = k1. There is no one directional arithmetic operation that would allow the same to be true? – Ivan G. – 2017-12-08T21:12:17.750No, this is provably impossible with just elliptic curve based derivations. The constructions you will come up with will either be insecure, or impossible to do without the private keys. – Pieter Wuille – 2017-12-08T22:53:44.870